Security Response Part 1: Don’t Shoot the Messenger

I’ve been working with vulnerability disclosure for more than 15 years and I’m still surprised (and sometimes amazed) at the vast array of responses we get when during the responsible disclosure process with vendors.

Part of the problem is that many companies do not have procedures or processes that encourage (or even allow) people to disclose security concerns.

In many companies the only way to disclose a vulnerability is to open a support ticket, and sometimes even this isn’t possible unless you have a valid serial number for a registered device or software that’s under maintenance.

Even if you can open a support ticket it’s often is routed to an out-sourced support person who has no clue what to do with the information, so they just start sending canned responses that have no relevance what-so-ever to the vulnerability in question.

One of my favorite support responses this year came from a fairly large networking product company. I’ll paraphrase the response to protect the somewhat innocent (and clueless); “You should really use a firewall with our product to protect it from security issues or use our cloud service”.

Security researchers realize that people don’t like to be told they are wrong or they screwed up. But, here’s the hard truth; almost every piece of software/hardware will have security concerns. The security vulnerabilities themselves are less important than how companies respond to and work with security researchers that are trying to help improve the products.

This is one of the key reasons the Zero Day Initiative (ZDI) has become so popular. Researchers that don’t want the headaches that come with disclosing vulnerabilities to companies with no idea how to respond just go to ZDI; they take away the headaches and even pay the researchers.

The tech community and press sometimes gives companies like IBM, Microsoft and Google a hard time, but these companies tend to be the most responsive and easiest to work with on security issues. They are also the most appreciative of researchers that work within the security disclosure process.

These companies recognize that security researchers want to help make products more secure and they understand that researchers invest significant time and effort to ensure a good fix is available. These companies know security researchers are trying to HELP so they don’t shoot the messenger or ignore them hoping they will go away.

In the coming weeks I will be posting series of articles on security response practices and would love to hear your feedback. You can post comments here or send them to me on twitter @btle310.

Thanks,
This is very informational post. I recently graduated from CTU with a BSIT (security concentration). I love the topic of security, yet I am finding it hard to get into without experience. Do you have any suggestions.